Granted, this is not the most egregious lapse CPB and it’s ecosystem have wrought. But it might be the one that gets traction.
US Customs Contractor Hack Breaches Traveller ImagesUS Customs and Border Protection (CBP) has admitted a data breach at a sub-contractor has compromised images of individuals and vehicles entering and leaving the country.
The controversial agency first learned of the “malicious cyber-attack” on May 31.
And we know this was a “malicious cyber-attack” exactly how?
“CBP learned that a subcontractor, in violation of CBP policies and without CBP’s authorization or knowledge, had transferred copies of license plate images and traveler images collected by CBP to the subcontractor’s company network,” it said in a statement.
“Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract.”
“Security by contract” isn’t a thing. And the data was breached … how?
CBP and the Transportation Security Administration (TSA) both fall under the Department of Homeland Security (DHS). Their collective track record on privacy, cybersecurity, and basic physical security leaves much to be desired.
Which leaves me scratching my head about why Delta asks their customers to risk their unchangeable data in a breach for convenience. And, to be clear, the convenience of the boarding gate scanners at some US airports is not for the passengers – it’s for Delta.
Back to the breach! Thank goodness the CPB is now on the case. Per the Atlantic,
CBP claims they’ve already conducted a search, but haven’t found any of the stolen images on the dark web, where hackers sometimes trade post stolen information for sale. In its statement to The Atlantic, CBP said it’s working with law enforcement to continue the search and survey the full extent of the damage. It hasn’t yet commented on the scope of the breach or offered specifics on the data that was stolen. Perceptics did not immediately respond to a request for comment.
And how do we know what third party vendor left this data vulnerable? The CPB told us by way of the Washington Post:
CBP would not say which subcontractor was involved. But a Microsoft Word document of CBP’s public statement, sent Monday to Washington Post reporters, included the name “Perceptics” in the title: “CBP Perceptics Public Statement.”
Perceptics representatives did not immediately respond to requests for comment.
CBP spokeswoman Jackie Wren said she was “unable to confirm” if Perceptics was the source of the breach.
This whole thing – from prevention to protection to monitoring to response to recovery – was manageable. Yet another takeaway is that CPB has no Incident Response Plan (IRP) at its most basic level. How do we know? They would not have sent the press a Word document titled with the name of the vendor that is the source of the leak.
It also throws into question the whole idea of a “malicious cyber-attack”. It seems more likely Perceptics, the alleged source of the data leak, failed to safeguard the data their contract said they shouldn’t have access to yet somehow acquired from CPB without their knowledge.
Hanlon’s Razor says to never attribute to malice that which is adequately explained by stupidity. Maybe the corollary in this case is never attribute to “malicious cyber-attack” that which is adequately explained by opportunism met by trivial, if any, security? I merely speculate …
Why do I feel a bunch of SSSS branded boarding passes in my future?